Enabling symptom verification

ABSTRACT

Systems, products and methods for enabling symptom verification. Verifying a symptom may include eliminating repeated symptom definitions or eliminating symptoms having low accuracy. A computer system enables verification of a symptom including a rule for detecting a set of events related to a given problem. The computer system includes a symptom database which stores the symptom, a specimen database which stores a specimen including a set of events detected according to a rule of a certain symptom, and an analysis unit which analyzes the specimen stored in the specimen database using a new symptom in order to determine whether to add the new symptom to the symptom database. The present disclosure also includes a method and a computer program for enabling verification of a symptom including a rule for detecting a set of events related to a given problem.

PRIORITY

This application is a continuation of and claims priority to U.S. patentapplication Ser. No. 15/366,870, filed Dec. 1, 2016, which is acontinuation of U.S. Ser. No. 15/269,282 filed Sep. 19, 2016, which is acontinuation of U.S. Ser. No. 12/323,633 filed Nov. 26, 2008, which isbased on and claims the benefit of priority from Japanese patentapplication No. 2007-338120, filed Dec. 27, 2007. The entire contentsand disclosures of U.S. patent application Ser. Nos. 15/366,870,15/269,282 and 12/323,633, and Japanese patent application No.2007-338120 are incorporated by reference herein.

BACKGROUND

An autonomic computing environment is able to manage itself anddynamically adapt to change in accordance with business policies andobjectives. An autonomic system is capable of monitoring an environment(Monitoring), analyzing a monitoring result (Analyzing), planning animprovement if there is any problem (Planning), and executing theimprovement (Executing). Collectively, these processes are known as theMAPE loop. Since the autonomic computing environment enables an activityto be performed on the basis of self-monitoring or self-detecting in anIT environment, an IT professional does not need to start a task. Theautonomic computing environment may be self-configuring (dynamicallyadapting to changing environments), self-healing (discovering,diagnosing, and correcting problems to prevent system disruptions),self-optimizing (tuning resources and balance workloads to maximize theuse of IT resources), and self-protecting (anticipating, detecting, oridentifying to prevent danger and protect against attacks).

SUMMARY

Symptom problem determination systems accumulate a large number ofsymptoms. Symptoms include a rule for detecting a set of events relatedto a given problem. It is problematic to register and add symptomsendlessly due to recording medium capacity, security, and compliance.Repeated symptom definitions may cause a plurality of symptoms to beextracted even if only one type of problem occurs. Non-associatedsymptoms may be extracted due to low accuracy of a symptom rule (a‘loose symptom rule’). Specifically, a detection error may occur. A useris not able to identify the repeated symptom definition or the detectionerror.

Methods, systems, and products are disclosed for enabling verificationof a symptom. One embodiment of the present invention is a computersystem for enabling verification of a symptom. The computer system maybe a server computer for implementing autonomic computing or be acomputer associated with a server computer. The computer system includesa symptom database which stores the symptom, a specimen database whichstores a specimen including a set of events detected according to a ruleof a certain symptom, and an analysis unit which analyzes the specimenstored in the specimen database using a new symptom in order todetermine whether to add the new symptom to the symptom database. Aresult of the analysis may be presented on a display device connected tothe computer system. Additional embodiments may include a method ofcausing a computer system to perform the method described below and acomputer program that causes the foregoing computer system to performthe method described below. The computer program may be distributed inthe form of a magnetic disk, an optical disk, a semiconductor memory, orother recording mediums or provided via a network.

One embodiment of the present invention is a computer system forenabling verification of a new symptom. The new symptom includes a rulefor detecting a set of events related to a given problem. The computersystem includes a symptom database which stores existing symptoms and aspecimen database which stores existing specimens. An existing specimenincludes a set of events detected according to a rule of one of theexisting symptoms. The computer system also includes an analysis unitcomprising a computer processor and a computer memory operativelycoupled to the computer processor. The computer memory has disposedwithin it computer program instructions capable of analyzing theexisting specimens stored in the specimen database using the new symptomto determine whether to add the new symptom to the symptom database.

One embodiment of the present invention is a computer-implemented methodfor enabling verification of a new symptom. The method includesproviding a symptom database which stores existing symptoms; providing aspecimen database which stores existing specimens; and analyzing thespecimens stored in the specimen database using a new symptom in orderto determine whether to add the new symptom to the symptom database.

One embodiment of the present invention is a computer program productfor enabling verification of a new symptom. The new symptom includes arule for detecting a set of events related to a given problem. Thecomputer program product is disposed upon a computer-readable medium.The computer program product includes computer program instructionscapable of maintaining a symptom database which stores symptoms;computer program instructions capable of maintaining a specimen databasewhich stores specimens; and computer program instructions capable ofanalyzing existing specimens stored in a specimen database using the newsymptom in order to determine whether to add the new symptom to asymptom database containing existing symptoms.

An existing specimen includes a set of events detected according to arule of one of the existing symptoms. An existing specimen may include afirst specimen, which includes a set of events detected according to arule of a certain symptom, and a second specimen which includes thefirst specimen and at least one of events preceding the first specimenand events following the first specimen.

The foregoing and other objects, features and advantages of thedisclosure will be apparent from the following more particulardescriptions of exemplary embodiments of the invention as illustrated inthe accompanying drawings wherein like reference numbers generallyrepresent like parts of exemplary embodiments of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a problem determination system.

FIG. 2A and FIG. 2B are diagrams illustrating a conversion from a logfile to a CBE.

FIG. 3 is a diagram illustrating an example of analyzing the CBE usingsymptoms.

FIG. 4 is a diagram illustrating a symptom and specimens.

FIG. 5 is a diagram illustrating a computer system according to anembodiment of the present invention.

FIG. 6 is a diagram illustrating an embodiment of repeated symptomdefinition verification.

FIG. 7 shows the verification of the rule of a new symptom.

FIG. 8 shows the verification of the rules of existing symptoms.

FIG. 9 is a flow chart illustrating the verification of a symptom.

DETAILED DESCRIPTION

Basic terms of the present disclosure will be described below.

An “event” is a change in state of a monitored resource such as a systemresource, a network resource, or a network application. The event may becaused by a problem, a problem solution, or normal completion of a task.Specifically, the event includes a hardware or software failure,shutdown, a performance bottleneck, a network configuration mismatch,unintended consequences caused by an insufficient design, and a damagecaused by the malice of others such as a computer virus. One example ofan event is that the memory usage exceeds a threshold value.

“Common Base Event” (‘CBE’) is the specification of a standard form andcontents for representing an event structure, which is sent as a resultof a certain state and thereafter used in an enterprise managementapplication or a business application. In the CBE, it is possible torepresent data in Extensible Markup Language (‘XML’). CBE is a commonlog format adopted as the standard by Organization for the Advancementof Structured Information Standards (‘OASIS’). The Common Base Eventincludes logging, tracing, management, and business events.

“Knowledge” in the autonomic computing system can include almost anytype of structured data or structured information that is used toperform a process, particularly a process that is allowed to beautomated. Since the autonomic computing system allows wide scope forknowledge, knowledge may include data stored in a log file, status dataon a management end point (touch point) or a process, and schedule dataon a period during which a change to the system is allowed. Types ofknowledge include, for example, a solution topology knowledge (forexample, an installable unit descriptor), a policy knowledge, and aproblem determination knowledge (for example, data or symptom to bemonitored). A Prolog program, which is a general type of knowledge, is aset of facts and rules about a given subject. In the autonomic computingsystem, knowledge may be represented in some standard form so as toallow an autonomic manager to use the knowledge.

A “symptom” is one of the types of knowledge. A symptom is dataindicating a potential problem or a diagnostic status related to one ormore managed resources. The symptom may include three constituentelements: a symptom definition, a symptom rule, and a symptom effect.The symptom definition defines general information (metadata) on asymptom. It is possible to describe the symptom definition by using anXPATH expression, a regular expression, a decision tree, a dependencygraph, a Prolog description, an ACT pattern, a TEC rule, or a neuralnetwork. The symptom rule is for use in detecting a set of eventsrelated to a given problem. It is possible to describe the symptom ruleby using an XPATH expression or the like or by using a program. For thesymptom effect, action to be taken at an occurrence of a problem and adetailed description of the action, if necessary, are described. Using asymptom, it is possible to detect a set of trigger events and a patternof the set of events. Examples of the pattern include a “one-to-one”event matching, a plurality of events (‘multi-event’), the occurrencenumber of events, the order of events (an ‘event sequence’), an eventtime frame, a detection of nonoccurrence of events, and combinationsthereof. The symptom is identified inside monitoring of the MAPE loopand used in analyzing thereof. The autonomic manager performs anassociation between an event and a symptom in the monitoring by using asymptom catalog. The symptom is generated by using a monitoring functionsuch as, for example, the autonomic manager that correlates themonitored data such as, for example, the Common Base Events. The symptommay be expressed in XML.

The relationship between an event and a symptom is as described below.The event is a change in state of a monitored resource (for example, thememory usage has reached 512 M). The symptom is data indicating apotential problem or a diagnostic status. Therefore, a potential problemor diagnostic status for a case where an event x (or an event x and anevent y, etc.) occurs under certain conditions is, for example, that thememory is insufficient or that the memory usage exceeded the set limitthree times within 10 minutes. Then, action to be taken at theoccurrence of the problem or diagnostic status is, for example, toincrease a buffer size.

“Autonomic” means self-management for a problem, security threat, and asystem failure.

“Autonomic computing” means computing with the ability to self-manageand dynamically adapt to change in accordance with business policies orobjectives.

An “autonomic computing system” is a computing system that senses itsoperating environment, models the behavior of the environment, and takesaction to change the environment or its behavior. An autonomic computingsystem has the properties of self-configuration, self-healing,self-optimization, and self-protection.

An “autonomic manager” is a component that manages other software orhardware by using a control loop in autonomic computing. The controlloop of the autonomic manager includes monitoring, analyzing, planning,and executing functions.

While the present disclosure is particularly used in the autonomiccomputing field, it is not limited to the autonomic computing field.Moreover, the present disclosure may be used also in an environmentwhere the computer manages itself such as, for example, N1 Grid of SunMicrosystems, Inc., Adaptive Infrastructure of Hewlett-Packard Co.,VALUMO of NEC Corporation, Harmonious Computing of Hitachi, Ltd., andTRIOLE of Fujitsu Limited.

According to the present disclosure, it is possible to verify a symptomsuch as, for example, to verify a repeated symptom definition, or toincrease the accuracy of a symptom rule. This increases theeffectiveness of the symptom problem determination system and enables areturn of an accurate diagnostic result for an event to a user.

Various embodiments of the present invention will be describedhereinafter with reference to the drawings. It will be appreciated thatthese embodiments are only for illustration and are not intended tolimit the scope of the invention to specific implementations set forth.Moreover, unless otherwise specified, the like reference numeralsdesignate like elements throughout the drawings referenced below.

FIG. 1 shows a schematic diagram of a problem determination system inautonomic computing. An administrator (101) of the problem determinationsystem extracts, as knowledge, the features of a log file or dump fileincluding an error message at the occurrence of a problem from theexamples of past failures and registers the features into a knowledgedatabase (102). It is possible to construct the knowledge database usingproducts such as DB2 from International Business Machines Corporation ofArmonk, N.Y. (hereinafter ‘IBM’), for example. The problem determinationsystem (100) generates a symptom from the knowledge and stores thesymptom into a symptom database (103). The symptom database is alsoreferred to as a symptom catalog. Additionally, a user or a help desk(104) sends the log file or the dump file (105) from a computer operatedby the user to a problem determination system (100). The computeroperated by the user may be, for example, a client system. The problemdetermination system may be, for example, a server computer. The logfile (or the dump file) (105) includes events of an application, adatabase, an application server, a server storage device, and a network,for example. The format of the log file (105) depends upon a component.Therefore, in order to unify the format of the log file or the dump file(105), the server computer (100) converts the log file (105) into aCommon Base Event (106) (hereinafter, referred to as ‘CBE’). Productssuch as DB2 and WebSphere from IBM provide functionality for directlyoutputting the CBE. Products such as Generic Log Adapter (GLA), anEclipse-based development tool from IBM provide functionality forconverting an existing log to the CBE.

The problem determination system (100) stores error messages andsolutions corresponding to each error message in the symptom database,making it possible to provide advice to the administrator based on apast solution in the case of an reoccurring message. The problemdetermination system (100) analyzes the foregoing CBE (106) according tothe symptom rule stored in the symptom database (103). The systemextracts the symptom (107), meaning it analyzes the CBE (106) andidentifies a set of events in the CBE (106) that correspond to a symptomin the symptom database (103). Further, the problem determination system(100) determines the problem or the solution to the problem based on theeffect of the extracted symptom. The system presents the determinationresult as a diagnostic result (108) on a display device connected to theuser's client system. The diagnostic result includes a clue for solvingthe problem using the symptom database. The diagnostic result may bepresented by using a log analysis tool such as, for example, the LogTrace Analyzer (LTA) from IBM.

FIG. 2A and FIG. 2B show an example of converting a log file (201) to aCBE (202). Converting from the log file (201) to the CBE (202) may becarried out by using a direct output function or a conversion toolincluded in software such as the DB2 and WebSphere products discussedabove. The log file (201) in FIG. 2 includes events identified bymessage IDs, TCPC0003E, CHFW0029E, and TCPC001I and their contents. Byconverting the log file (201) to the CBE (202), the system converts thelog file (201) to a given format for each message ID.

FIG. 3 shows an example of analyzing (303) a CBE (301) using symptomsstored in a symptom database (302). The CBE (301) includes a pluralityof events identified by message IDs. A symptom database (302) has aplurality of symptoms. Analyzing the CBE (301) using the symptoms allowssymptoms to be extracted by which a set of events included in the CBEare detectable. In the case of an IBM correlation rule, which is anexample of the symptom rule, seven types of rules are supported.Specifically, the IBM correlation rule includes a filter rule as astateless rule, and a collection rule, a calculation rule, an overlaprule, a sequence rule, a threshold rule, and a timer rule as statefulrules.

In FIG. 3, the CBE (301) includes a set of events identified in theorder of TCPC0003E and CHFW0029E. The CBE analysis using the pluralityof symptoms included in the symptom database causes an extraction of asymptom for detecting the foregoing set of events included in the CBEanalysis. The symptom extraction (303) results in a problem found (304).Thereafter, a technical note (supplementing the message IDs or adviceinformation) is presented (305) which corresponds to the symptom effectof the extracted symptom.

FIG. 4 shows a symptom and specimens used in this embodiment of thepresent invention. Symptom A in FIG. 4 includes a rule for detecting aset of events identified in the order of TCPC0003E and CHFW0029E. Thefollowing is an example of a rule description in XPath format.

<expression:xpathExpression>/CommonBaseEvent[contains*[msg, ‘TCPC0003E’and ‘CHFW0029E’] or msgData Element/msgId= ‘TCPC0003E’ and‘CHFW0029E’]</expression:xpathExpression>

The specimen includes a set of events detected according to the rule ofa certain symptom and message identifiers for use in identifying events.Moreover, the events in the list which have been detected according tothe rule of the corresponding symptom are recorded with respect to eachspecimen (not shown). In this embodiment of the present invention, twotypes of specimens are used for analysis with a certain symptom (symptomA (401)).

The first specimen, also referred to as a short specimen, includes a setof events detected according to the rule of the certain symptom. In someimplementations, the first specimen may consist of only a set of eventsdetected according to the rule of the certain symptom. The firstspecimen of FIG. 4 is a “match in the set of events”, which means thatthe specimen consists of only a set of events detected according to therule of the certain symptom, and the order of the detected events is thesame as in the rule. The first specimen may be used for finding repeatedor duplicate symptom definitions.

The second specimen, or long specimen, includes a set of events detectedaccording to the rule of a certain symptom and a set of eventspreceding, following, or both preceding and following the set of events.In other words, the second specimen includes a set of events notdetected according to the foregoing rule of the certain symptom. Thefirst specimen is a subset of the second specimen. The second specimenmay be used for verifying the accuracy of a symptom. Particularly, thesecond specimen is used for finding a symptom having a loose rule,(i.e., a low-accuracy symptom). A distinction between the short specimenand the long specimen is made, for example, by setting a flag in eachspecimen.

Specimens may be used to determine whether the administrator should adda new symptom to a symptom database, as discussed below with referenceto FIGS. 5-8. FIG. 5 shows a general view of one embodiment of acomputer system (500) in accordance with the present invention. Thecomputer system (500) may include a server computer for implementingautonomic computing or a computer associated with the server computer.In the computer system of FIG. 5, specimens include a new specimen (503)and specimens stored in the specimen database (510) (also referred to asexisting specimens).

The computer system or the administrator generates a new specimen (503)according to the generation of a new symptom (502) in order to determinewhether to add the new symptom to the symptom database (509). The newspecimen (503) may include a short specimen and a long specimen. In FIG.5, the new specimen (503) is generated by the administrator (501).Alternatively, a program for generating the new specimen may cause acomputer system to automatically generate the new specimen. The newspecimen includes a set of events detected according to the rule of thecorresponding new symptom on the basis of a log file or dump file. Forexample, a short specimen includes a set of events matching a set ofevents detected according to the rule included in the corresponding newsymptom. A long specimen includes a set of events matching a set ofevents detected according to the rule included in the corresponding newsymptom and a set of events preceding, following, or both preceding andfollowing the set of events. After verification, the administratorstores the new specimen into the specimen database (510).

The existing specimens are also used to determine whether to add the newsymptom to the symptom database. An existing specimen may include ashort specimen and a long specimen.

Returning to FIG. 4, short specimen (403) includes only a set of eventsidentified in the order of TCPC0003E and CHFW0029E, and long specimen(402) includes a set of events identified in the order of TCPC0003E andCHFW0029E and a set of events preceding and following that set ofevents. In order to determine whether to add symptom A to the symptomdatabase, the administrator or the system provides a short specimen(403) and a long specimen (402) corresponding to the symptom A.

With reference to FIG. 5, the administrator (501) of the computer system(500) inputs a new symptom (502) and a new specimen (503) correspondingto the new symptom (502). The new specimen (503) includes a shortspecimen and a long specimen corresponding to the new symptom (502).Then, the administrator (501) initiates a specimen analysis usingsymptoms (507) to determine whether to add the new symptom (502) to thesymptom database (509).

Specimen analysis using symptoms (507) is described below with referenceto FIGS. 6-8. If a specimen includes a set of events detected accordingto the rule of a symptom, the specimen is extracted by the symptom.Extracting the specimen is referred to as “specimen hit” in thisspecification.

The symptom overlap verification unit (504) verifies that the newsymptom (502) does not overlap with a symptom stored in the symptomdatabase (509), as described in greater detail with reference to FIG. 6below.

The symptom rule verification unit (505) verifies the accuracy of therule of the new symptom (502), as described in greater detail withreference to FIG. 7 below. The symptom rule verification unit (505) alsoverifies the accuracy of rules of the symptoms stored in the symptomdatabase (509) (hereinafter, referred to as ‘existing symptoms’). FIG. 8shows the details of this verification. Although FIG. 5 shows thesymptom overlap verification unit (504) and the symptom ruleverification unit (505) as separate units, the symptom overlapverification unit and the symptom rule verification unit may be unifiedinto a single symptom verification unit.

The symptom and specimen storage unit (506) is a storage area fortemporarily storing the new symptom (502) and the new specimen (503)corresponding to the new symptom (502). The symptom and specimen storageunit (506) may have an arbitrary configuration.

The storage area (508) includes the symptom database (509) and thespecimen database (510). The storage area (508) may be a magneticrecording medium such as a hard disk or a semiconductor disk such as asilicon disk. The symptom database (509) and the specimen database (510)may be recorded on the same recording medium or alternatively may berecorded on different recording mediums separately or in a distributedmanner. An analysis result presentation unit (511) generates informationfor displaying a result of the specimen analysis using symptoms (507) ona display device connected to the system of the administrator (501).

The administrator (501) may determine whether to store the new symptom(502) and the new specimen (503) corresponding to the new symptom (502)into the symptom database (509) and the specimen database (510),respectively, on the basis of the result of the specimen analysis usingsymptoms (507). Alternatively, the administrator (501) is allowed tomodify the rule of the new symptom (502) (including making the rule morestrict to increase the accuracy), to delete unnecessary events of thenew specimen (503), and to make the rule of the existing symptom storedin the symptom database (509) more strict.

FIG. 6 is a diagram illustrating an embodiment of repeated symptomdefinition verification. Verifying that the symptom definition is not arepeated symptom definition is carried out by analyzing (606) a shortspecimen (612) of an existing specimen stored in the specimen databaseusing the new symptom (602) and analyzing (608) a new short specimen(604) using a symptom (610) stored in the symptom database. The newsymptom (602) overlaps a symptom (610) stored in the symptom database ifthe analysis of the short specimen (612) stored in the specimen databaseshows that the short specimen hits (i.e., the short specimen in thespecimen database includes a set of events detected according to therule of the new symptom (602)), the analysis of the new specimen (604)shows that the new specimen hits according to the rule of an existingsymptom (610), and the set of events of the hitting short specimen (612)matches the set of events of the new specimen (604). Returning to FIG.5, in that case, the analysis result presentation unit (511) presentsthe administrator (501) with a notification that the new symptom (502)overlaps with a symptom stored in the symptom database (509). Theadministrator (501) may decline to store the new symptom (502) into thesymptom database (509) on the basis of the presentation. Furthermore,the administrator (501) may decline to store the new specimen (503)corresponding to the new symptom (502) into the specimen database.

FIG. 7 shows the verification of the rule of a new symptom. The newsymptom (702) corresponds to a new long specimen (704) generatedaccording to the new symptom (702). Existing long specimens (712) storedin the specimen database each correspond to existing symptoms (714)stored in the symptom database. The rule (710) of the new symptom (702)is verified by analyzing (706) a long specimen (708) (which is anexisting specimen) stored in the specimen database using the new symptom(702). The analysis determines whether there is a hit of a long specimen(708) stored in the specimen database including a set of events detectedaccording to the rule (710) of the new symptom (702) by the analysis ofthe long specimen (708). Returning to FIG. 5, if one or more longspecimens hit, the analysis result presentation unit (511) presents theexisting long specimens that have hit or the number of long specimenshit according to the rule of the new symptom (502). Moreover, ifnecessary, the analysis result presentation unit (511) presents that theaccuracy of the new symptom (502) may be low on the basis of theexisting specimens. The administrator (501) may examine the existinglong specimens that have hit from the presentation and increase theaccuracy of the rule of the new symptom (502) by modifying the rule ifthere is a hit of a long specimen unrelated to the symptom.

FIG. 8 shows the verification of the rules of existing symptoms. The newsymptom (702) corresponds to a new long specimen (704) generatedaccording to the new symptom (702). Existing long specimens (712) storedin the specimen database each correspond to existing symptoms (714)stored in the symptom database. Verifying the rule (810) of an existingsymptom (808) is carried out by analyzing (806) the new long specimen(704) using an existing symptom (808) stored in the symptom database.The analysis determines whether there is a hit of the new long specimen(704) according to the rule (810) of the existing symptom (808).Referring to FIG. 5, in response to a hit of the new specimen, theanalysis result presentation unit (511) presents an existing symptomincluding the rule that has produced the hit of the new specimen. Theanalysis result presentation unit (511) presents the number of existingsymptoms that cause the hit of the new specimen. If necessary, theanalysis result presentation unit (511) presents that the accuracy ofthe existing symptom may be low on the basis of the new specimen. Theadministrator (501) checks if there is any problem described in theexisting symptom from the presentation. If there is a problem, theadministrator (501) may delete the set of unnecessary events in the newspecimen (503) to prevent the occurrence of the hit. On the other hand,unless there is a problem, the administrator (501) may modify the ruleof the existing symptom concerned to increase the accuracy of the rule.

In order to verify the modified rule of the existing symptom, the systemanalyzes the new specimen (503), which may be the new long specimen, forexample, using the modified existing symptom.

FIG. 9 is a flowchart showing the verification of a symptom. In someembodiments, the repeated definition is verified first. However, inother embodiments, performing the verification of the repeated symptomdefinition is carried out after the verification of the symptom rule.The analysis of the specimen in the database using the new symptom mayprecede the analysis of a new specimen using the symptom in the databasefor the verification of the symptom rule, or the analysis of the newspecimen using the symptom in the database may precede the analysis ofthe specimen in the database using the new symptom for the verificationof the symptom rule. In various embodiments, portions of the method asdescribed above may be carried out in any order.

The method of FIG. 9 begins by generating the new symptom and the newspecimen (block 902). The method also includes verifying that thesymptom definition is not a repeated symptom definition (block 904), asdescribed above with reference to FIG. 6. Verifying that the symptomdefinition is not a repeated symptom definition ensures that the newsymptom does not overlap with a symptom stored in the symptom database.The method also includes verifying the symptom rule. Verifying thesymptom rule may include analyzing an existing specimen stored in thespecimen database using the new symptom (block 906), as described abovewith reference to FIG. 7. Analyzing an existing specimen may includeanalyzing the first specimen of an existing specimen. Verifying thesymptom rule may include analyzing a new specimen using the existingsymptoms stored in the symptom database (block 908), as described abovewith reference to FIG. 8. The method also includes presentingverification results from any of the verification processes discussedabove (block 910).

An exemplary computer system used in this embodiment of the presentinvention may have a CPU and a main memory, which are connected to abus. The bus is connected to a display device such as an LCD monitor viaa display controller. In addition, the bus is connected to a storagedevice such as, for example, a hard disk, silicon disk, CD, DVD, orother various drives, via an IDE or SATA controller. For a clientcomputer or a server computer, the internal configuration is the same asthe above computer system.

It should be understood that the inventive concepts disclosed herein arecapable of many modifications. To the extent such modifications fallwithin the scope of the appended claims and their equivalents, they areintended to be covered by this patent.

What is claimed is:
 1. A self-managing computer system for managingrules of symptoms, the computer system comprising: computer storagestoring a symptom database which stores existing symptoms, each of theexisting symptoms having a symptom definition; and a specimen databasewhich stores existing specimens, wherein the existing specimens includea first existing specimen and a second existing specimen, wherein thefirst existing specimen is a subset of the second existing specimen, andwherein the existing second specimen corresponds to one of the existingsymptoms stored in the symptom database; and an analysis unit forverifying an accuracy of a rule of a new symptom, the analysis unitcomprising a computer processor and a computer memory operativelycoupled to the computer processor, the computer memory having disposedwithin it computer program instructions for: analyzing the existingsecond specimen using the new symptom to determine whether the existingsecond specimen overlaps with the new symptom according to the rule ofthe new symptom, including determining whether the existing secondspecimen includes a set of events detected according to the rule of thenew symptom to determine whether to add the new symptom to the symptomdatabase; and when the existing second specimen overlaps with the newsymptom, presenting a notification of the accuracy of the new symptom.2. The computer system according to claim 1, wherein the computer systemreceives input for increasing the accuracy of the rule of the newsymptom.
 3. The computer system according to claim 2, wherein theincreasing the accuracy of the rule includes modifying the rule toincrease the accuracy of the rule.
 4. The computer system according toclaim 1, wherein the computer system receives input for modifying therule if the existing second specimen is unrelated to the new symptom. 5.The computer system according to claim 1, wherein a new second specimenis generated according to the new symptom.
 6. The computer systemaccording to claim 5, wherein when the existing second specimen overlapswith the new symptom, the computer system adds the new second specimento the specimen database.
 7. The computer system according to claim 1,further comprising an analysis result presentation unit, wherein theanalysis result presentation unit, in response to the determination ofan overlap of the existing second specimen with the new symptom,presents the existing second specimen that includes a rule that producedthe overlap.
 8. The computer system according to claim 7, wherein theanalysis result presentation unit further presents a number of theexisting specimens that causes the overlap.
 9. A computer-implementedmethod for self-managing rules of symptoms on a computer system, themethod comprising: providing, in a computer storage, a symptom databasewhich stores existing symptoms; providing, in the computer storage, aspecimen database which stores existing specimens, wherein the existingspecimens include a first existing specimen and a second existingspecimen, the first existing specimen is a subset of the second existingspecimen, and the existing second specimen corresponds to one of theexisting symptoms stored in the symptom database; providing an analysisunit for verifying an accuracy of a rule of a new symptom, the analysisunit comprising a computer processor and a computer memory operativelycoupled to the computer processor, the computer memory having disposedwithin it computer program instructions for: analyzing the existingsecond specimen using the new symptom to determine whether the existingsecond specimen overlaps with the new symptom according to the rule ofthe new symptom, including determining whether the existing secondspecimen includes a set of events detected according to the rule of thenew symptom to determine whether to add the new symptom to the symptomdatabase; and when the existing second specimen overlaps with the newsymptom, presenting a notification of the accuracy of the new symptom.10. The method according to claim 9, further comprising increasing theaccuracy of the rule of the new symptom.
 11. The method according toclaim 10, wherein the increasing the accuracy of the rule includesmodifying the rule to increase the accuracy of the rule.
 12. The methodaccording to claim 9, further comprising modifying the rule if theexisting second specimen is unrelated to the new symptom.
 13. The methodaccording to claim 9, wherein a new second specimen is generatedaccording to the new symptom.
 14. The method according to claim 13,further comprising when the existing second specimen overlaps with thenew symptom, adding the new second specimen to the specimen database.15. A computer program product for self-managing rules of symptoms on acomputer system, the computer program product disposed upon anon-transitory computer-readable medium, the computer program productcomprising: computer program instructions capable of maintaining asymptom database which stores existing symptoms; computer programinstructions capable of maintaining a specimen database which storesexisting specimens, wherein the existing specimens include a firstexisting specimen and a second existing specimen, wherein the firstexisting specimen is a subset of the second existing specimen, andwherein the existing second specimen correspond to one of the existingsymptoms stored in the symptom database; computer program instructionscapable of verifying an accuracy of a rule of a new symptom, includinganalyzing the existing second specimen using the new symptom todetermine whether the existing second specimen overlaps with the newsymptom according to the rule of the new symptom, including determiningwhether the existing second specimen includes a set of events detectedaccording to the rule of the new symptom to determine whether to add thenew symptom to the symptom database; and computer program instructionscapable of, when the existing second specimen overlaps with the newsymptom, when the existing second specimen overlaps with the newsymptom, presenting a notification of the accuracy of the new symptom.16. The computer program product according to claim 15, furthercomprising computer program instructions capable of receiving input forincreasing the accuracy of the rule of the new symptom.
 17. The computerprogram product according to claim 16, wherein the increasing theaccuracy of the rule includes modifying the rule to increase theaccuracy of the rule.
 18. The computer program product according toclaim 15, further comprising computer program instructions capable ofreceiving input for modifying the rule if the existing second specimenis unrelated to the new symptom.
 19. The computer program productaccording to claim 15, wherein a new second specimen is generatedaccording to the new symptom.
 20. The method according to claim 19,further comprising computer program instructions capable of, when theexisting second specimen overlaps with the new symptom, adding the newsecond specimen to the specimen database.